A recent investigation of the password management practices of the U.S. Department of the Interior has identified multiple password failures which are putting its internal network and applications at risk of compromise. The investigation was conducted by the Department of the Interior Office of Inspector General (DOI OIG) to determine how well the Department’s password management and enforcement controls were working. The verdict: Not very well.
The Department of the Interior is responsible for the management of public lands and minerals, national parks, wildlife, and cultural refuges. For the investigation, the DOI OIG evaluated 85,944 passwords and the password management practices of the Department and attempted to crack those passwords. Within 90 minutes, 16% of the Department’s passwords were cracked, and by the time the investigation was completed, more than one-fifth (21%) of the Department’s user passwords had successfully been cracked – 18,174 accounts.
The tests of passwords were hardly cutting edge. DOI OIG used the same techniques hackers would use, using lists of passwords that had previously been compromised in data breaches, which are easy to obtain on the Internet. “We used a compiled list of breached passwords in combination with dictionary words in our hash-cracking system,” explained DOI OIG. “As with password lists, there are also databases of previously cracked hashes readily available on the internet.”
So, what was the problem? Why were all those passwords so easy to crack? The DOI OIG discovered the Department’s password complexity requirements were woefully out of date and not fit for purpose. For instance, while there were password complexity requirements, they did not prevent passwords containing the word password, or variants of it. 4.75% of all Department passwords included the word password or a variant of it.
A test conducted by Hive Systems determined that a password of 12 characters, containing upper- and lower-case letters, numbers, and symbols would take around 3,000 years to crack, however, if that password was Password-1234, while meeting complexity requirements, it would present no problem to a hacker. Password-1234 was the most commonly used password at the Department and had been used to secure 478 unique active accounts. In fact, 5 of the 10 most reused passwords included the word password or a variant of it with the sequential numbers 1234. There were no rules in place to prevent these weak passwords from being set, nor from allowing unrelated staff to set the same weak passwords. Other weak passwords identified included Changeme$12345, Polar_bear65, and Nationalparks2014!
The DOI OIG also assessed multi-factor authentication implementation, which has been recommended for more than 18 years, and found haphazard implementation. The Department was unable to confirm which systems had MFA implemented. DOI OIG found 89% of high-value assets had no MFA implemented. Further, when accounts are no longer active, they need to be deactivated. The Department did not deactivate unused accounts in a timely manner, nor were password age limits enforced, which left more than 6,000 accounts vulnerable to attack.
All passwords can be cracked using brute force tactics given sufficient time, which is why they need to be complex. A password of 6 characters regardless of the digits, letters and symbols it contains can be cracked almost instantly using the latest GPUs. Even a complex password of 8 characters presents little problem, taking less than 40 minutes to crack. This is why the recommended minimum length for passwords is 12 characters. Passwords should also not contain dictionary words, as it makes them much easier to crack.
Password complexity requirements need to be enforced but the problem with that is users will often try to find a way to create passwords to meet those complexity requirements that are easy to remember, which can result in passwords such as Nationalparks2014! and Password-1234 being set. Controls need to be in place to prevent this. To make it easier for users to set complex passwords, a password manager should be provided. Password managers will auto-generate complex passwords and users will not need to remember them, as they will be auto-filled when needed. Only one password needs to be set – the master password – and staff should be instructed on how to create and set complex passwords for their master password. 2-factor authentication should also be implemented for the password manager and all accounts. There are many password managers available at a low cost. Bitwarden for example has a host of advanced functionalities for enterprise use, including SSO integration, SCIM support, which costs just $5 per user, per month – A small cost to pay for the improvements to password security.